C
campag5242
For 08hxFFh crypt8's, I've been able to identify them from the family of payload length variants (len 9-15) which share that common first 8 bytes, even in cyphertext. The residue bytes (those beyond those first 8) are not encrypted with the BC, only with the SC xor.
The family of 08hxFFh crypt8 full payload length variants looks typically:
By xor'ing the residue bytes of one length variant together with any of its longer sibblings, you will see 0x00, 0x00... 0x7F. That works in both plaintext *and* cyphertext due to the nature of the SC. So, if you see that pattern in a crypt8's family of length variants, there's a strong chance that's an 08hxFFh crypt8.
There also exist encoders which have residue bytes with trailing 3 x 00h. Here the family is:
and a similar technique can be used to pick out the 08hxFFh C8 with high confidence.
Apparently the v1 rainbow table tool can in some circumstances pick out from that family of B8h triplets x030000, x000300, x000003 a likely B8hx030000h C8, and tag it as such. All members of that triplet family have only one length variant each, so no such tricks with residue bytes can be used. Does anyone have an inkling as to how the v1 tool might do that?
The family of 08hxFFh crypt8 full payload length variants looks typically:
Code:
FF FF FF FF FF FF FF FF 80
FF FF FF FF FF FF FF FF FF 80
FF FF FF FF FF FF FF FF FF FF 80
FF FF FF FF FF FF FF FF FF FF FF 80
FF FF FF FF FF FF FF FF FF FF FF FF 80
FF FF FF FF FF FF FF FF FF FF FF FF FF 80
FF FF FF FF FF FF FF FF FF FF FF FF FF FF 80
|------08hxFFh C8------|
|---residue bytes----|
By xor'ing the residue bytes of one length variant together with any of its longer sibblings, you will see 0x00, 0x00... 0x7F. That works in both plaintext *and* cyphertext due to the nature of the SC. So, if you see that pattern in a crypt8's family of length variants, there's a strong chance that's an 08hxFFh crypt8.
There also exist encoders which have residue bytes with trailing 3 x 00h. Here the family is:
Code:
FF FF FF FF FF FF FF FF 80 00 00 00
FF FF FF FF FF FF FF FF FF 80 00 00 00
FF FF FF FF FF FF FF FF FF FF 80 00 00 00
FF FF FF FF FF FF FF FF FF FF FF 80 00 00 00
|------08hxFFh C8------|
|---residue bytes----|
Apparently the v1 rainbow table tool can in some circumstances pick out from that family of B8h triplets x030000, x000300, x000003 a likely B8hx030000h C8, and tag it as such. All members of that triplet family have only one length variant each, so no such tricks with residue bytes can be used. Does anyone have an inkling as to how the v1 tool might do that?